Your data protection sucks – spam protection in times of the GDPR

The new European General Data Protection Regulation is on everyone’s lips these days. Hardly any customer conversation can do without the ominous letter combination. Was it GDRP, GRPD or GDPR? Not important at all, from May 25th you should be serious about data protection, and that’s a good thing.

Those who now expect concrete instructions from me will be disappointed by the following contribution. I am sufficiently informed on the topic to bring my WordPress installations, those of friends, acquaintances and customers to terms until May 25th, but my interest is not sufficient to punish myself by reading law texts and to chew the whole thing up here again. Others can do better. I want to write about a single WordPress plugin that currently appears in many articles: Antispam Bee.

Antispam Bee is one of the plugins that are maintained and developed by a group called “Pluginkollektiv”. The Pluginkollektiv consists of WordPress developers who have set themselves the goal of maintaining the excellent plugins by Sergej Müller and keeping them in the best possible condition for the many hundreds of thousands of users. Small disclaimer: I myself belong to the Pluginkollektiv, so in the following I am not only an uninvolved third party.

The trick in Antispam Bee – like in all plugins of the collective: it is designed from the beginning with German and European data protection in mind and today therefore offers the perfect solutions for all, whom want to make their websites somewhat more compliant with GDPR.

Now the problem with the whole GDPR hype is that now everyone, really everyone, feels called upon to pour their dangerous half-knowledge unchecked into blog posts. Certainly a dozen times in the last weeks I have read posts, which evaluate WordPress plugins after their dangerousness with regard to the GDPR.

… another popular solution to fight spam is Antispam Bee

Matt Mullenweg, Q&A WordCamp Europe 2014

A popular suggestion: Replace Akismet with Antispam Bee – both plugins are committed to fighting spam. Both plugins achieve this goal quite reliably. Akismet uses a central database for this purpose and is dependent on sending the data of commentators to an external server for processing. Antispam Bee uses intelligent spam detection directly in WordPress and therefore does not have to pass on (personal) data to third parties.

Yes that’s right, but….

But then we quickly end up in the land of illusions and confused ideas: I often read that Antispam Bee should be used with caution from a GDPR point of view. Hinting at our optional use of an external spam database, the filter by country of origin and the feature to filter comments by language (based on a Google API). So let’s have a look at this criticism in detail, have the authors researched it correctly?

External spam database ☠️

One shot, one hit. The use of an external spam database, as we currently offer it in Antispam Bee, is at best problematic with the GDPR, at worst not allowed.

The function is not activated by default, and even without it the plugin detects spam quite reliably. To avoid an accidental misconfiguration, we will remove the integration of this database in Antispam Bee version 2.8. 2.8 is currently under development on Github and will be released before May 25th. If you don’t want to wait so long and want to be on the safe side today, you should check your own settings once and deactivate the option “Consider public spam database” in case of doubt.

Country filter 👌

Next station: the country filter. This is about IP addresses and the countries people live in. There must be a problem with data protection, right?

In fact, the IP addresses for these queries are only processed and transmitted in abbreviated form. So no problem as far as data protection is concerned. Truncated IP addresses are no longer considered personal information.

Speech filter 🙆‍♂️

The last highly suspicious feature on our list: the speech filter via the Google API. Before we get upset because I just said Google: breathe in, breathe out.

The Language Check is a super effective tool in the Antispam Bee toolbox. For example, if I publish a blog post in German, I can be sure that I won’t receive any serious Russian, Indian or Chinese comments. However, if a comment comes in in a foreign language, it is almost certainly spam.

This recognition cannot (yet) be done locally in WordPress. Therefore, we need to send data from the comment to Google, which does the recognition for us (a service the Pluginkollektiv pays for so that all Antispam Bee can use it free of charge). However, anyone who suspects data protection problems here is wrong. When the speech filter is enabled, the first ten words of each comment are sent to the Google Speech Recognition Service. Ten words of commentary content. Not the email address, not the name of the person commenting, not the IP address. Bottom line: no personal data and therefore no problem.

Bottom line

If you are currently checking an external spam database in Antispam Bee, you should either deactivate it now, or wait for the next update, it will omitted the option anyway.

Spread the Word. Friends don’t let friends blog nonsense about Antispam Bee 🙂

Behind the scenes, the collective continues to work diligently on the optimal usability of all its plugins. For this work the collective doesn’t charge anything, it won’t knock on your door, ask you offensively for donations or note how many free evenings were sacrificed for working on plugins. Nevertheless it is happy about small donations, which are always welcome to cover running costs.

[Update 13.05.2018] The first beta version of Antispam Bee 2.8 is now available for testing on GitHub.

[Update 22.05.2018] Antispam Bee 2.8 is released and can be loaded via the plugin updates directly in the WordPress backend. 🎉 Alternatively you can download the plugin directly from You wanted to thank the Pluginkollektiv? Leave a review of the plugin ❤️